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Definitions 

The following list describes acronyms and definitions for terms used throughout this document. 



•v Name •>." \v 


\v.' .- • Description . \ 


AD 


Microsoft's Active Directory 


API 


Application Program Interface 


ARF 


Automated Regression Factory 


CDSI 


Cisco Directory Services Interface 


CNS 


Cisco Network Services 


CNSESCAP 


CNS Event Service Client Applications 


CNSESCAPI 


CNS Event Service Client API 


CNSGPOAPI 


CNS Global Policy Object API 


CNSKCPAPI 


CNS Kerberos Change Password API 


ENA 


Extended Network Architecture 


FCS 


First Customer Ship 


GPO 


Global Policy Object 


GPORS 


Global Policy Object Resolver Service 


GSS-API 


Generic Security Service Application Program Interface 


IOS 


Internetwork Operating System 


KCPP 


Kerberos Change Password Protocol 


LDAP 


Lightweight Directory Access Protocol 


PAC 


Privilege Attribute Certificate 


SSPI 


Security Support Provider Interface 


TCO 


Total Cost of Ownership 
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1 Abstract 

CNS IOS Client for IOS was initially released in the previous release, IOS 12.04(T). It consists of the following 
features: 

• LDAP V3 implementation 

• CNS Locator Service API 

• CNS Event Service Client API 

This program plan describes the development effort for CNS IOS Client for IOS 12.05(T) release. The release is 
intended as a follow-up release for 12.04(T) with the following new features: 

• CNS GPO API and IPSec Policy Agent 

Group Policy allows an organization to reduce their TCO by allowing administrators to define centralized policies 
and applying them to groups of objects using the infrastructure provided by Cisco Directory Services. CNS GPO 
Resolver Service impersonates an IOS client to retrieve and send back policy information from Directory Services, 
requested by the IOS client through use of GPO API. 

• CNS Configuration Notify Agent 

The Configuration Notify Agent will send event as soon as the running configuration of an IOS device gets changed. 
This is very useful especially for some Network Service Management applications that are sensitive to configuration 
changed events. 

• CNS Provision Agent 

The Provision Agent provides a generic, secured and reliable way to deliever CLI commands to the running 
configuration of an IOS device. This feature is wanted by various ISP customers including Telstra. 

Figure 1 shows those components and interfaces in IOS. 

CNS IOS Client for IOS in 12.05(T) continues to add infrastructure (APIs) for CNS. It also have a couple of IOS 
client applications. Some of the IOS applications that will make use of those APIs are: 

• Policy-based Security Management 

• CNS Policy-based QoS/CoS for GSR/ISP devices 

• CNS Fault Management for Cisco NASes, H323, and/or Cable Modems 

• CNS Policy-based VPN implementation 
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Figure 1: CNS IOS Components in IOS Classic 12.04T/12.05T 
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2 Objectives 

2.1 Project Priority 

The objective of this project is to deliver the CNS client capability on the Cisco platforms by Q2/99 as part of the 
Cisco Directory Services product for IOS Classic 12.05(T) release. 

2.2 Production Standard Costs 

N/A 

2.3 Production Forecast 

N/A 

2.4 Software Memory Estimates 

100K 

2.5 Hardware Memory Options 

N/A 

2.6 Key Project Deliverables 

• Deliver IOS images on all IOS platforms. 

• Deliver the IOS Programmer's Guide for CNS APIs. 

2.7 Key Features 

• CNS GPO API & IOS GPO IPSec Agent 

• CNS Configuration Notify Agent 

• CNS Provision Agent 

2.8 Features Not Supported 

N/A 

2.9 Proformance 

TBD 
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3 Development Approach 

CNS IOS Components team will provide platform-independent API code, and build IOS specific subsystem objects. 
IOS application will link with those code. 

4 Product Development Activities Entrv/Exit Criteria 

4.1 Strategy & Planning Phase Criteria 

This was performed as part of the CNS/AD Directory Service Program. 

4.2 Excution Phase Criteria 

4.2.1 Design Criteria 

• Reviewers and impacted groups notified (Entry) 

• Email alias set up for cross BU project team communication (Entry) 

• Software Unit Functional and Design Specifications approved (Exit) 

4.2.2 Product Implementation/Coding Criteria 

• Design validated (Entry) 

• Unit Testing complete (Exit) 

• Code Reviews complete (Exit) 

• Software Unit Functional and Design Specification reviewed (Exit) 

4.2.3 Internal Verification Entry Criteria 

• Test Plans reviewed/approved (Entry) 

• Test Designs complete (Entry) 

• Review of Unit Test Results (Entry) 

• Test coverage and results reviewed (Exit) 

• System Integration Test with IOS complete (Exit) 

• CNS Programmer's API Guide for IOS complete (Exit) 

4.2.4 Code Commit to Mainline Criteria 

• Zero unresolved sev 1 & 2 defects (Entry) 

• Test suites automated (Entry) 

4.2.5 External Validation Criteria 

• External test plans reviewed and approved (Entry) 

• Feature and Integration Tests complete (Entry) 

• Regression Test complete (Exit) 
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• Zero unresolved sev 1 & 2 defects (Entry/Exit) 

• Automated test scripts submitted to ARF (Exit) 

4.3 Deployment Phase 

• FCS Release criteria met (Entry) 

• Post Project Assessment meeting (Entry + 3 months). 



5 Key Development Tasks 

5.1 H/W Development Tasks 

N/A 

5.2 S/W Development Tasks 

5.2.1 Access to CNS VOB 

Every IOS DE who works on the project should be able to access to CNS VOB to be able to view the source code of 
APIs. 

5.2.2 Process for the IPS Build 

The process established in 12.04(T) will be used to build IOS objects in CNS VOB. The process will be 
communicated to every DE (CNS or IOS). 

5.2.3 CNS GPO Resolver Service 

Group Policy allows an organization to reduce their TCO by allowing administrators to define centralized policies 
and applying them to groups of objects using the infrastructure provided by Cisco Directory Services. CNS GPO 
Resolver Service impersonates an IOS client to retrieve and send back policy information from Directory Services, 
requested by the IOS client through use of GPO API. This is an NT service/daemon running in a NT5 workstation 
based on the "CNS/AD GPO Resolver Service and API for IOS - Software Unit Functional Specification" 
(ENG-29745). This daemon has been implemented and unit-tested under NT5, and so is the API. 



5.2.4 IPS IPSec GPO Policy Agent 

This is an IOS GPO client for IPSec policy. It will use the CNS GPO API to communicate policy information 
between Directory Service and an IOS device. It is an essential piece of software required for Cisa^PotixredVFN 
implementation. 

5.2.5 Configuration Notify Agent 

This is a small agent that listens to any attempts to change the running configuration. 

5.2.6 Provision Agent 

This agent will play an important role in CiscoJPoweredVPN implementation. 
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5-3.1 SNMP Enhancements 

N/A 

5.3.2 MIB Enhancements 

N/A 

5.4 Test Engineering Tasks 

• Automate any CNS IOS 12.04(T) feature test scripts and submit to ARF 

• Set up test bed for Kerberos Change Password 

• Set up test bed for GPO/IPSec GPO client 

• Integration testing for GPO/IPSec GPO client 

• Integration testing for Configuration Notify Agent 

• Integration testing for Provision Agent 

5.5 Diagnostic Development Tasks 

N/A 

5.6 Mechanical/Power Development Tasks 

N/A 

5.7 Compliance Test Tasks 

5.7.1 Agency Regulatory Approvals 



• Compliance testing for the regulatory approvals 



Regulatory Approval 


Requirement 


PTT/Network Certification 


none 


Safety 


none 


Emissions 


none 


EMC 


none 



5.7.2 Standards 

• Verification testing for the standards compliance 

• PTT/Network Certification shall include harmonized standards, Common Technical Requirements (CTRs) 
and any other means to be used in achieving compliance with the requirements of the European Directive 
91/263/EEC 
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The PTT/Network Certification department is responsible for determination of the appropriate 
PTT/Network Certification test requirements. In particular, the BABT Approvals Liaison Engineer 
(ALE)/Deputy Approvals Liaison Engineer(DALE) in the PTT/Network Certification department are 



Standards 


Requirement/Revision Level 


CCITT/ITU 


none 


ANSI 


none 


IE FT 


none 


RFC 


draft-ietf-cat-kerb-chg-password-02.txt 


ETSI 


none 


BELLCORE 


none 


CTRs* 


none 


NETs* 


none 



* The PTT/ Network Certification department will supply the appropriate CTR and NET Standards. 



6 Program Risks and Interdependencies 

6.1 Resource Contentions 

There is yet no testing resource located for both unit testing and integration testing of Kerberos Password Change and 
GPO API/IPSec client including setting up both test beds. 

6.2 External Dependencies 

This project depends on both IOS implementations for Kerberos Password Change and IPSec GPO client by IOS 
Network Protocol/Security Engineering group. The project also requires unit testing and integration testing for both 
features by the same team. 

6.3 Technological Risks 

None so far 

6.4 Other Risks 

The current estimate of code size is about 100K. Every effort will be made to reduce the code size, but it is not 
known at the time of writing how much it can be reduced. This may be a major issue for low end platforms. 



7 Exceptions to Development Methodology 

Although there is no formal PRD for this project, CNS marketing has collected many customer's inputs that are 
being used to determine the features of this project. 
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8 Resource Requirements & NRE 

8.1 Engineering Staffing 



Name 


Function 


Fan Jiao 


Proiect Manager 




Target Release Program Manager 


M/A 

IN/ A 


Hardware Manager 


W/ A 
IN/A 


Hardware Engineer 


NT/ A 
JN/A 


Product Support Engineer 


Fan Jiao (LNb) 


Software Managers 


Don Wooton ^ino uev icbtj 




Peter Haig (IOS) 




Dalia Geller (IOS) 




David Bleazley (IOS) 


Software Engineers 


Silvana Zdravkov (IOS) 




Allen Long (IOS) 




Simon Zhao (CNS) 




Arvind Jamwal (CNS) 




Fan Jiao (CNS) 




Tony Zhang (CNS Dev Test) 




8.2 Non-Enaineerina Staffing 


Name 


Function 


Vijay Parthasarathy 


CNS Marketing 


Dave Cavanaugh (IOS) 


SW Documentation contact 


N/A 


HW Documentation contact 


N/A 


CE contacts 



8.3 Engineering Expenses Summary 



Development Expense 


Cost 


Prototypes 


N/A 


Support equipment expenses 


N/A 
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Capital, test equipment 


$15,000 


Capital, systems 


$15,000 


Agency 


N/A 


Outside services 


N/A 


Total 


$30,000 


8.3.1 Equipment Costs 


Equipment List 


Qty 


Cost 


Use and disposition 


C2500 


2 


2K 


GPO EPSec test 


C4700 


2 


6K 


ChangePassword test 


C7500 


1 


7K 


Event Service app test 


Pentium II PC 


3 


15K 


GPO Resolver Service 
Server 

ChangePassword test 
Event Service Server 


9 Schedule 


MILESTONE 


ORIGINAL PLAN 


CURRENT FORECAST 


COMMENTS 


Program Plan 




I 




Resource Committed 




1 




SW Unit Func Specs 
Complete 








SW Unit Func Specs 
Reviewed 








CNS Components 
integrate to IOS 




t 




SW Design Specs 
Complete 




i 




SW Design Specs 
Reviewed 




i 




Test Specs Complete 








Test Specs Reviewed 








Code Complete 


i 






Unit Test Complete 


i 
i 


i 




Integration Complete 


i 






12.05 Commit 








Integration/System Test 
Complete 


I 
i 
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EFT USWest 








EFT MCIWorldCom 




1 
» 




Automated Test Scripts 
Complete 








Test Scripts submitted to 








CNS Programmer's API 
Guide Review Complete 


TBD 






Begin EFT 


TBD 






Begin Beta Test 


TBD 
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